We've moved! Come visit our new blog:

Blog Archive

Tuesday, March 30, 2010

OAuth access to IMAP/SMTP in Gmail

Google has long believed that users should be able to export their data and use it with whichever service they choose. For years, the Gmail service has supported standard API protocols like POP and IMAP at no extra cost to our users. These efforts are consistent with our broader data liberation efforts.

In addition to making it easier for users to export their data, we also enable them to authorize third party (non-Google developed) applications and websites to access their data at Google. One of the more common examples is allowing a social network to access your address book in order to send invitations to your friends.

While it is possible for a user to authorize this access by disclosing their Google Account password to the third party app, it is more secure for the app developer to use the industry standard protocol called OAuth which enables the user to give their consent for specific access without sharing their password. Most Google APIs support this OAuth standard, and starting today it is also available for the IMAP/SMTP feature of Gmail.

One of the first companies using this feature is Syphir, in their SmartPush application for the iPhone, as shown in the screenshots below. Unlike other push apps, Sypher's SmartPush application never sees or stores the user’s Gmail password thanks to this new OAuth support.

We look forward to finalizing an Internet standard for using OAuth with IMAP/SMTP, and working with IMAP/SMTP mail clients to add that support.

assuming they support this for the enterprise or education editions of Google apps, it's an advantage if you're using single sign on, since you no longer have to provision user passwords to Google for IMAP access.

For those wondering why you'd want to use OAuth for installed apps, one advantage for the user is that they can deauthorize your app without having to change their password and reauthorize all the other apps that access their Google accounts.

It also creates a lower bar of trust you need from the customer because, although you're getting access to mail as if you had their ID and password, they can limit your access to mail and keep you out of their other Google services.

You know, this really only works properly if you forward the request to the system standard browser (Mobile Safari on the iPhone) instead of having the Google login form directly in the app. If the Google login form gets presented in the app, who's to say that it's not spoofed by the app? How do you know you're not actually sending your password to the app and they're just proxying the request on the backend?

We are building application using IMAP to copy email from first gmail account into second gmail account and it takes as much time as the size of email by first donwlaoding from first gmail account and then uplaoding into second gmail account. This becomes issues when user has emails with large attachemnt say 4-5 MB each. Will OAuth help to reduce this time or can it even directly do copy between two accounts from server without donwload and then upload. Any comment will be helpful.

I'm really glad to see this being implemented, and I hope developers of Gmail apps out there realize that they best be switching to using OAuth soon (if feasible of course).

I hate the idea of having to give my login details for my entire Google account to an application that just notifies me if I have new mail. I really can't wait to have OAuth support implemented so I no longer have to give out high-access credentials to a basic app.

Question: Does using OAuth change anything with regard to whether the user has to manually enable IMAP access before my third-party app can have access to the customer's email via IMAP? If not, is there any way to help the customer turn on IMAP support without making him/her go through these steps:

http://mail.google.com/support/bin/answer.py?answer=77695

In other words, I'd like to simply ask the user for permission to access his/her email via IMAP, period. The user can say yes or no. No other passwords or fiddling with gmail settings. Is this possible using OAuth?